-
Introduction
-
Getting Started
- First Login
- Dashboard
- Navigation
- User Profile
-
Administration
- User Management
- Tenant Settings
- Activity Log
-
Risk Management
- Risks
- Risk Assessments
- Threats
- Incidents
- Findings
-
Control Management
- Controls
- Control Objectives
- Effectiveness Reports
-
Tasks
- Task Management
-
Compliance
- References
- Requirements
- Requirement Groups
- Evidence
-
Assessments
- Baselines
- Challenges
-
Organization & Assets
- Legal Entities
- Locations
- Teams
- Persons
- IT Assets
- Information Assets
- Physical Assets
- Products
- Processes
- Capabilities
- Third Parties
- Engagements
- Scope Groups
-
Blueprints
- Blueprints
-
Structures
- Standards
- Domains
- Categories
- Projects
- Assurances
-
Compliance ID
- Overview
- General Settings
- VUCA Score Sharing
- Control Sharing
- Requirement Sharing
- Assurance Sharing
- News & FAQ
- Access Management
- Subscriber Management
- The Public ID Page
Introduction
Overview
Introduction
Welcome to the vucavoid documentation. This guide covers everything you need to manage governance, risk, and compliance for your organization.
Documentation Access
This documentation requires a vucavoid account with an active tenant membership. We restrict access because relentless AI scraping bots were causing significant performance issues for our platform. The Introduction section remains publicly accessible so you can evaluate whether vucavoid fits your needs before signing up.
What is vucavoid?
vucavoid is a Governance, Risk & Compliance (GRC) platform that helps organizations systematically identify, assess, and manage risks while tracking compliance with regulatory frameworks and internal policies.
Unlike spreadsheet-based approaches or fragmented tooling, vucavoid provides:
- A single source of truth for risks, controls, requirements, and evidence
- Connected data where risks link to controls, controls map to requirements, and everything traces back to assets and processes
- Real-time visibility through the VUCA score, showing your organization's GRC health at a glance
- Audit-ready documentation with full history and evidence trails
Whether you're pursuing ISO 27001 certification, preparing for SOC 2 audits, ensuring GDPR compliance, or managing internal risk policies, vucavoid provides the structure and tooling to do it systematically.
The VUCA Methodology
vucavoid is built around the VUCA framework. Originally developed for military leadership, VUCA describes four dimensions of challenge that organizations face:
| Dimension | What It Means | In GRC Context |
|---|---|---|
| V Volatility | Rapid, unpredictable change | Overdue deadlines, unaddressed findings, incidents without response |
| U Uncertainty | Lack of predictability | Missing risk assessments, gaps in control effectiveness data |
| C Complexity | Many interconnected parts | Multiple compliance frameworks, overlapping requirements, complex asset relationships |
| A Ambiguity | Lack of clarity | Unclear ownership, undefined responsibilities, missing documentation |
Your VUCA score aggregates signals across these dimensions to show where your GRC program needs attention. A low score indicates a well-managed program. A high score highlights areas requiring focus.
See VUCA Score for details on how the score is calculated and what drives each dimension.
Core Capabilities
Risk Management
Maintain a comprehensive risk register with clear ownership, assessment history, and treatment tracking.
- Identify and document risks with structured cause-consequence analysis
- Assess risks using configurable likelihood and impact scales
- Track treatment plans and monitor progress against deadlines
- Connect risks to the controls that mitigate them
See Risks and Risk Assessments.
Control Management
Document your security and compliance controls with effectiveness monitoring.
- Define controls with clear objectives and implementation details
- Track control effectiveness through regular reporting
- Map controls to the requirements they satisfy
- Collect evidence of control operation
See Controls and Control Effectiveness Reports.
Compliance Management
Track requirements from multiple frameworks and demonstrate fulfillment.
- Import requirements from standards like ISO 27001, SOC 2, PCI DSS, and GDPR
- Track fulfillment status for each requirement
- Link requirements to implementing controls
- Collect and organize compliance evidence
See References, Requirements, and Evidence.
Incident & Finding Management
Respond to security incidents and track audit findings through remediation.
- Document incidents with impact assessment and response actions
- Track findings from internal audits, external assessments, and compliance reviews
- Generate remediation tasks with deadlines and ownership
- Maintain full response history for audit purposes
Task Management
Keep work moving with centralized task tracking.
- Create tasks manually or generate them from risks, findings, and incidents
- Assign owners and set deadlines
- Track overdue items and escalation
- Filter by source to focus on specific GRC domains
See Tasks.
Asset & Organization Modeling
Document what you're protecting and how your organization is structured.
- Model your legal entity structure across jurisdictions
- Track IT assets with lifecycle and EOL/EOS information
- Document information assets with classification and handling requirements
- Map third-party relationships with risk context
See Organization & Assets for the full range of organizational modeling capabilities.
How Everything Connects
The power of vucavoid comes from connections between records:
Risks → mitigated by → Controls → satisfy → Requirements
↓ ↓ ↓
affect supported by evidenced by
↓ ↓ ↓
Assets Effectiveness Reports Evidence
These relationships aren't just organizational. They drive:
- VUCA score calculations that reflect your actual GRC health
- Gap analysis showing where controls don't fully address risks or requirements
- Audit preparation with traceable evidence chains
- Impact assessment when assets or controls change
When you update a control's effectiveness, vucavoid knows which risks and requirements are affected. When an incident occurs, you can trace which assets were impacted and what controls should have prevented it.
Getting Started
If you're new to vucavoid, we recommend this path through the documentation:
- Key Concepts - Core terminology and how vucavoid thinks about GRC
- VUCA Score - Understanding the health metric that drives prioritization
- Demo Data - Context for the screenshots and examples you'll see
- First Login - Navigating your first session
- Dashboard - Understanding your home screen
From there, explore the sections most relevant to your role:
- Risk managers: Start with Risks and Risk Assessments
- Compliance officers: Start with References and Requirements
- Control owners: Start with Controls and Control Effectiveness Reports
- Auditors: Start with Findings and Baselines
Multi-Tenant Architecture
vucavoid is a multi-tenant platform. Each organization (tenant) has completely isolated data. Users can belong to multiple tenants, switching between organizations as needed.
Within a tenant, role-based permissions control what users can view and edit. From tenant administrators with full access to executive viewers with read-only dashboards, vucavoid supports the access patterns real organizations need.
See User Management for details on roles and permissions.
Related Resources
- Key Concepts - Core terminology and platform philosophy
- VUCA Score - How your GRC health is measured
- System Requirements - Browser and technical requirements
- Demo Data - About the NovaTrust demo environment